Microsoft's honeypot-based research has highlighted common password mistakes, as well as shedding light on automated hacking techniques.
Attack data collected from an FTP-server honeypot revealed that most attacks attempted to log into administrator accounts (Administrator and the French equivalent Administrateur were by far the …

#!comment: ?

Re: #!comment:

Obviously many attackers are using a well known password.lst file as the basis of their attacks.

This file starts:

#!comment: This list has been compiled by Solar Designer of Openwall Project,

#!comment: http://www.openwall.com/wordlists/

#!comment:

#!comment: This is a list of passwords most commonly seen on a set of Unix

#!comment: systems in mid-1990's, sorted for decreasing number of occurrences

#!comment: (that is, more common passwords are listed first).

#!comment:

#!comment: Last update: 2005/12/16 (3107 entries)

or similar, then has a list of passwords.

So I think that there may be a certain amount of "parsing fail" on the part of the attackers, they're treating the comment lines at the top of the file as entries and using them as the basis for break-in attempts in addition to the proper entries in the file.

Bonnet network?

How DARE you take advantage of MY blithering idiot!

"A password-checking tool developed by Microsoft (here) allows users to check on the strength of the passwords they pick"

Try as I might, I could not bring myself to type a real password into the box. The more I thought about it, the more it felt like some kind of gullibility test.

'Microsoft found that 90% of users entered a valid password on their password checking page without even attempting to negotiate some sort of chocolate reward. "What a bunch of numpties" commented a despairing Bill Gates.'

My favourite

use pass phrase

instead of using passwords that are one word you should use pass phrases like "ilovetoeat" upper and lower i think help the most but just to get length they usually haven't computed hash for passwords that long and brute-force would take forever

Wow

It took them 1 year to come to this? I have some very innocent server sitting at home and can get to those conclusions in a week. Actually not anymore as fail2ban is doing very good job nowadays ;)

Have a server online - have tons of attacks. Simple as that. Strong passwords should be a norm, unless you're US Military and want to invite some UFO seeking guys ;) Banning users after few unsuccessful attack also. Port stealthing, and so on. Any admin worth their pay knows this. Sadly not many MCSEs... (yeah, I'm one, still prefer Linux)

Or: head -c 6 /dev/urandom | uuencode -m -

Generally you're better off using /dev/urandom than /dev/random: it's not genuinely random, but it's cryptographically as strong as lots of other maths you already depend on, and it won't block.

By the way, is there any point to this advice about mixing upper and lower case? Even if you use a totally random mixture of cases in an 8-character password you've added less entropy then you'd get by adding a couple of random extra letters, but the extra letters would be easier to remember and easier to type. So perhaps, if you're using a randomly generated password, you should use just lower-case letters and make the password a bit longer, say 11 characters instead of 8.

ms password checking tool.

I generated a bunch of random decimal numbers of lengths from 200 to 3600 digits, and asked it what it thought of them. It rated them all as 'weak'.

If microsoft believe a 3600-digit decimal number is easily guessable, that could explain why we have to buy new bloody computers every ten bleeding minutes to keep up with the exponentially-growing amount of crappy bloatware in their products. I can imagine the reasoning on their dev teams:

"Include a pre-startup process that solves the halting problem? Sure, why not, the suckers will just think it's time they got a faster cpu yet again. We'll slap a sticker on it and call it 'NP-ready' or something - leave marketing to worry about the details."

Weak password policy

Many organisations almost insist on weak passwords: by irrational devotion to password expiry, which has to be one of the most overrated security policies. The more important you are 'technically', the more passwords you have to remember. And quite often the IT support services will give the same person the same username on different environments, meaning that using similar passwords is more risky. Add a frequent expiry policy and you have a recipe for disaster: either passwords get too simple, or they get stored.

Weak^H^H^H^Hpassword policy

Equally as awful is an overly descriptive password policy coupled to this.

One I saw stated that your pwd had to be at least eight chars including both upper and lower case and at least one number.

I pointed out that my guess, as it was a mixed "green screen" UNIX and PC environment, would be that 99% of them would be a dictionary word of seven letters with the first capitalised and either a "1" or a "0" on the end. The number of red faces amongst the sekkuritty dweebs round the table when I came up with that statement was very scary indeed.

I hate that too.

Personally, I take advantage of my admin rights to reset my passwords to the same thing before they expire -- then think of a better password at my own leisure.

I take issue with the "you must never make a note of your password" type "rules" -- it's perfectly OK to make a note of passwords -- just guard them the same way you would your credit card, cheque book, or keys.

Personally, I make a note of my (non-banking) passwords and store it in my wallet (without usernames or any explanation of what they are) -- that way if my wallet goes missing I can just reset my passwords while I'm on the phone to the credit card company.

MS password checker - lol

Too right.......

I work for a global multi mega corp over here in the UK and recently the Password policy for the intranet was beefed up (we still use IE6 on XP!) so I tried to set my new password to something along the lines of this:

six letter word spelled backwards _ number number

OK, so it wouldnt accept that regDab_36 was a strong enough password so I tried several other six and even seven letter words, varied the upper and lower case, special characters and numbers and I couldnt get anything to work. I then tried Pa$$word for a laugh................

Now when this got accepted (with a "Strong" in the password strength display) I couldnt beleive it so I actually contacted the Intranet security team and told them. Their response? Because the dictionary word was broken in the middle with special characters it was essentially a strong password. I asked them if they read any articles on hacking because I beleived that Password and variants (pa$$word, p@ssword, pas$w0rd) etc would be up in maybe the top 10 to 20 things to try but they told me that no, my password was good and secure!

I have to change it again this month, I wonder if I could use Pa££word for the next three months?

Reg honestly... use the https link please

Gee, what an INTERESTING idea...

So let me get this straight -- Microsoft, in an effort to make my passwords more secure, is offering a tool for testing candidate passwords that is basically A WEB PAGE??? This is a Very Bad Idea for so many reasons, it's impossible to list them all. Just a few that occur to my paranoid brain right away:

1) Does the tool send my password over the 'Net to check it? Is it even encrypted? (The site isn't even https://...) What IS the tool, really? Can we audit its source? Can we trust it?

2) How do I know WHAT they're doing with my proposed passwords? If they store them, even anonymized for statistical purposes, their tools site (hosted, no doubt, on Windows, the world's most secure OS <snort>) just became Cracker Target Number One, as a gold mine of new dictionary entries for attack tools. (Hey, mebbe that's why MS built it to start with, to generate new strength-testing dictionaries.)

3) Let's say some evil genius manages to crack their server and edits the tool to report who has tested what passwords. We'll never know until/unless someone gets pwned because of this, traces it to the altered tool, and does a forensic analysis of the tool itself. In other words, we'd probably never find out.

Yep, sounds like a really good idea to me. I can't wait to test ALL my passwords with it. NOT!

fail

No surprise there

The fundamental problem is that the people defining "password strength" [1] can't do arithmetic and [2] are stuck in the past. They don't understand what contribution symbol space and field size actually make to the equation so they just go for what "looks complicated", and their assumptions about brute forcing are based on decades-old histories of offline cracking of UNIX password files, which is not the main current threat.

The two greatest single strength factors against brute force at a user interface are limited retries and backoff time. After that, non-obvious password choice (e.g. not "password"). I always recommend an acronym of a private but memorable phrase at least eight words long. The user doesn't have to remember a complex string of arbitrary characters (something our brains are generally bad at). Instead she remembers the phrase (something our brains are quite good at) and reconstructs the password each time she needs it by repeating the phrase to herself as she enters the password.

Assuming nothing but lower case letters, that yields roughly 2x10^11 (2 followed by eleven zeros) possible passwords, and the vast majority will not be dictionary words (unless you intentionally choose a phrase that has a dictionary word as an acronym). So let's arbitrarily and pessimistically throw away half of them to allow for bad choices. It's still 10^11. So statistically a brute forcer will need to make around 5x10^10 attempts. Limit the login interface to three failed attempts per, say, 15 minute interval or 12 per hour, and it will take about 490 thousand years on average to break in. By then you should have had some kind of admin alert from the system.

Insecure facilities

Using insecure facilities to test passwords, WTH?

Do MS give a damn at all? I'd be a little more convinced if a) altering a password by adding one digit did not have such a significant effect on the test result (as already observed) and b) they cared enough to use https.

Easier Strong Passwords

Posted Friday 4th December 2009 09:50 GMT

Many sites restrict their passwords to 6 or 8 letters and digits which means you can never be secure there, so beware.

Often recommendations suggest gobbledygook such asg$@hj48(tHy^. These are hard to remember, and may also be subject to bias in choosing patterns on the keyboard - yes crackers do look for such patterns. Note, also, that a determined cracker with enough computing power can crack *any* password - we can only try our best.

Here are illustrative strong(ish) passwords. I leave it up yo you to discover how each construction may be remembered

deleted

Another MS Fail!

I work for an IT firm who do an awful of pen-testing for our customers and recently we ran an off the shelf password cracking tools on our own network. I'd love to say we passed muster but the fella who left the scan running overnight, expecting it to take days found it had discoverd over 50% of our users' passwords about 15 hours!!

According to him and other flokes I've spoken to your password's not secure unless it's 14 characters or more and is not one or more dictionary words, and that includes special character substitution e.g. S - $, a - @, i - 1 etc. It's dead easy to find a tool that runs a dictionary attack, then runs it again substituting 1's for i's 0's for o's etc.

The most frustrating thing is the limit for my online banking is 12 characters, none special and then MS failing to preach the proper mantra, built from scratch with security in mind my a**e!!!

Stron passwords

The problem with strong passwords is that you inevitably have to store them somewhere, especially if you have to have a different password for every application and even more so if you are forced to change your password every 45 days or so. So of course you keep all your passwords in some highly insecure file somewhere!

When I worked for a large mega-corp (that's since dwindled away to nothing) the password checker banned any password containing a "dictionary word". The dictionary must have contained words I never heard of, but missed out common English words where the American speling was different! The big problem with this strategy is that if you can identify the dictionary words it dramatically cuts down the number of combinations you need to try in a brute force attack.

I tend to use phrases

with random capitalizations and number substitutions...

Although they can be quite long (>14 chars), they are easy to remember, and even with 3 monthly expiry, the same phrase can be used for a year at least just by changing which characters are capitalized / substituted.